CVE-2025-69073
Published: 22 January 2026
Summary
CVE-2025-69073 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-69073 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the AncoraThemes Piqes WordPress theme. The issue impacts all versions from n/a through 1.0.11 and is associated with CWE-98. Published on 2026-01-22, it carries a CVSS v3.1 base score of 8.1 (High).
Remote attackers can exploit this vulnerability over the network with no required privileges or user interaction, though high attack complexity is needed. Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing attackers to read sensitive local files or execute arbitrary code if PHP files are included.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve provides details on this local file inclusion vulnerability in the Piqes WordPress theme version 1.0.11.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3901
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion.This issue affects Piqes: from n/a through <= 1.0.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress theme directly enables remote exploitation (T1190) and local file reads (T1005); arbitrary code execution possible via included PHP files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates improper filename control in PHP include/require by requiring validation of user-supplied file paths to block local file inclusion.
Requires timely remediation of the specific flaw in the Piqes WordPress theme versions through <=1.0.11 to eliminate the vulnerability.
Restricts types and quantities of information inputs, such as whitelisting allowed filenames, to prevent arbitrary local file paths from being processed in includes.